11 matches found
Drift-Protocol-Exploit-2026
Case Study: Drift Protocol $285M Logic Exploit April 2026 A...
setFullWeightDuration() can be called while a member election is ongoing
Lines of code Vulnerability details Bug Description In SecurityCouncilMemberElectionGovernorCountingUpgradeable, fullWeightDuration which is the duration where a user's votes has weight 1 can be set using setFullWeightDuration: SecurityCouncilMemberElectionGovernorCountingUpgradeable.solL77-L84...
_scheduleUpdate() should be called during initialize ing the SecurityCouncilManager
Lines of code Vulnerability details Impact Updates will not be scheduled through timelocks and target upgrade executors by the scheduleUpdate call. Initial set of cohort members will not be scheduled. Proof of Concept In SecurityCouncilManager whenever a new member is added, or removed or swapped...
if _rescueFunds was called with the address of a mToken, the admin would currently be able to sweep those tokens,
Lines of code Vulnerability details Impact It allows the admin to steal deposited funds from users It removes mTokens used as collateral to back borrows Proof of Concept Assume there is a mToken at address 0x123 that has issued some tokens. The admin calls rescueFunds0x123, uint.max. This will...
Upgraded Q -> 2 from #16 [1686928129422]
Judge has assessed an item in Issue 16 as 2 risk. The relevant finding follows: L-3 onlyOwner single point of failure Impact The onlyOwner role has a single point of failure and onlyOwner can use critical a few functions. Even if protocol admins/developers are not malicious there is still a chanc...
Centralization risk for trusted owners
Lines of code Vulnerability details Description: Contracts have owners that have privileged rights to perform admin tasks. These owners need to be trusted to not perform malicious updates or drain funds. Having a single Externally Owned Account EOA as the sole owner represents a significant...
Unable to claim vesting due to unbounded timelock loop
Handle nathaniel Vulnerability details Impact The timelocks for any beneficiary are unbounded, and can be vested by someone who is not the beneficiary. When the array becomes significantly big enough, the vestments will no longer be claimable for the beneficiary. The vest function in Vesting.sol...
Missing events/timelocks for owner/admin only functions that change critical parameters
Handle defsec Vulnerability details Impact Owner/admin only functions that change critical parameters should emit events and have timelocks. Events allow capturing the changed parameters so that off-chain tools/interfaces can register such changes with timelocks that allow users to evaluate them...
Missing timelock for critical contract setters of privileged roles
Handle 0xRajeev Vulnerability details Impact Setter functions for critical protocol parameters accessible only by privileged roles e.g. onlyOwner should consider adding timelocks so that users and other privileged roles in the case of a multiSig can detect upcoming changes and have the time to...
Trying to use timestamps with blocknumbers
Handle goatbug Vulnerability details Impact requirebondTimestamp + ONEDAY block.number; There are require statements comparing timestamps to blocknumbers. We cannot assume one block per second, this code would not work on different chains where block times radically differ. The effect is having...
Missing events/timelocks for owner/admin only functions that change critical parameters
Handle 0xRajeev Vulnerability details Impact Owner/admin only functions that change critical parameters should emit events and have timelocks. Events allow capturing the changed parameters so that off-chain tools/interfaces can register such changes with timelocks that allow users to evaluate the...